-x MIN:MAX:CHARSET
MIN is the minimum number of characters in the password
MAX is the maximum number of characters in the password
CHARSET is a specification of the characters to use in the generation
valid CHARSET values are: 'a' for lowercase letters,
'A' for uppercase letters, '1' for numbers, and for all others,
just add their real representation.

Examples:

-x 3:5:a generate passwords from length 3 to 5 with all lowercase letters
-x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers
-x 1:3:/ generate passwords from length 1 to 3 containing only slashes
-x 5:5:/%,.- generate passwords with length 5 which consists only of /%,.-

Hydra Supported Protocols

Supported protocols:

asterisk

afp

cisco

cisco-enable

cvs

firebird

ftp

ftps

http-head

https-head

http-get

https-get

http-post

https-post

http-get-form

https-get-form

http-post-form

https-post-form

http-proxy

http-proxy-urlenum

icq

imap

imaps

irc

ldap2

ldap2s

ldap3

ldap3s

ldap3-crammd5

ldap3-crammd5s

ldap3-digestmd5

ldap3-digestmd5s

mssql

mysql

nntp

oracle-listener

oracle-sid

pcanywhere

pcnfs

pop3

pop3s

postgres

rdp

redis

rexec

rlogin

rsh

rtsp

s7-300

sip

smb

smtp

smtps

smtp-enum

snmp

socks5

ssh

sshkey

svn

teamspeak

telnet

telnets

vmauthd

vnc

xmpp

Options of Hydra Supported protocols

cisco

Module cisco is optionally taking the keyword ENTER, it then sends an initial ENTER when connecting to the service.

cisco-enable

Module cisco-enable is optionally taking the logon password for the cisco device

Note: if AAA authentication is used, use the -l option for the username and the optional parameter for the password of the user.

For example: "/secret" or "http://bla.com/foo/bar" or "https://test.com:8080/members"

http-get-form, https-get-form, http-post-form, https-post-form

Module http-get-form requires the page and the parameters for the web form.

By default this module is configured to follow a maximum of 5 redirections in a row. It always gathers a new cookie from the same URL without variables The parameters take three ":" separated values, plus optional values.

(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)

Syntax:

<url>:<form parameters>:<condition string>[:[:]

First is the page on the server to GET or POST to (URL).

Second is the POST/GET variables (taken from either the browser, proxy, etc. with usernames and passwords being replaced in the "^USER^" and "^PASS^" placeholders (FORM PARAMETERS)

Third is the string that it checks for an *invalid* login (by default). Invalid condition login check can be preceded by "F=", successful condition login check must be preceded by "S=". This is where most people get it wrong. You have to check the webapp what a failed string looks like and put it in this parameter!

The following parameters are optional:

C=/page/uri

to define a different page to gather initial cookies from

(h|H)=My-Hdr\: foo

to send a user defined HTTP header with each request

^USER^ and ^PASS^ can also be put into these headers!

Note: 'h' will add the user-defined header at the end regardless it's already being sent by Hydra or not.

'H' will replace the value of that header if it exists, by the one supplied by the user, or add the header at the end.

Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\). All colons that are not option separators should be escaped (see the examples above and below).

You can specify a header without escaping the colons, but that way you will not be able to put colons in the header value itself, as they will be interpreted by hydra as option separators.

Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.

http-proxy-urlenum

Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option. The -L loginfile must contain the URL list to try through the proxy. The proxy credentials cann be put as the optional parameter, e.g.

Additionally TLS encryption via STARTTLS can be enforced with the TLS option.

Example: smtp://target/TLS:PLAIN

smtp-enum

Module smtp-enum is optionally taking one SMTP command of: VRFY (default), EXPN, RCPT (which will connect using "root" account) login parameter is used as username and password parameter as the domain name

For example to test if john@localhost exists on 192.168.0.1:

hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost

snmp

Module snmp is optionally taking the following parameters:

READ perform read requests (default)
WRITE perform write requests
1 use SNMP version 1 (default)
2 use SNMP version 2
3 use SNMP version 3
Note that SNMP version 3 usually uses both login and passwords!
SNMP version 3 has the following optional sub parameters:
MD5 use MD5 authentication (default)
SHA use SHA authentication
DES use DES encryption
AES use AES encryption
if no -p/-P parameter is given, SNMPv3 noauth is performed, which
only requires a password (or username) not both.

Attempt to login as the user (-l user) using a password list (-P passlist.txt) on the given FTP server (ftp://192.168.0.1):

hydra -l user -P passlist.txt ftp://192.168.0.1

Attempt to login on the given SSH servers (ssh) from the list (-M targets.txt) using a user list (-L logins.txt) and password list (-P pws.txt):

hydra -L logins.txt -P pws.txt -M targets.txt ssh

Attempt to login on the given FTP servers on the given subnet (ftp://[192.168.0.0/24]/) as the user admin (-l admin) and the password password (-p password):

hydra -l admin -p password ftp://[192.168.0.0/24]/

Attempt to login on the given mail server (imap://192.168.0.1/), using IMAP protocol with a user list (-L userlist.txt) and the password defaultpw (-p defaultpw), taking the authentication type PLAIN:

hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN

Attempt to login on the given mail server using POP3S on the given IPv6 (-6) address 2001:db8::1, on port 143 using the credential list "login:password" from the defaults.txt file (-C defaults.txt) taking the authentication type DIGEST-MD5 and enforced TLS encryption via STLS (TLS).

hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5

xHydra (GUI for THC-Hydra)

xhydra is Gtk+2 frontend for thc-hydra.

To start xHydra GUI issue:

xhydra

Tools included in the hydra package

hydra – Very fast network logon cracker

pw-inspector – Reads passwords in and prints those which meet the requirements

Help pw-inspector

PW-Inspector reads passwords in and prints those which meet the requirements. The return code is the number of valid passwords found, 0 if none was found. Use for security: check passwords, if 0 is returned, reject password choice.

Use for hacking: trim your dictionary file to the pw requirements of the target.